Autodesk BackBurner Null Dereference - Denial of Service

Autodesk BackBurner listens on TCP port 3234 and accepts a set of telnet commands from remote machines. For a particular command it fails to handle the request when insufficient number of arguments are passed and results into Null Dereference crash leading to Denial of Service.

VULNERABILITY
- The vulnerability exists in libDLnrapi30.dll which is a Dynamic Link Library loaded by Backburner Manager process manager.exe
listening on TCP port 3234. The application does not take care of number of arguments passed to a specific remote command and
results into Null Dereferece leading to Denial of Service.

[*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
------> become the master!!!
[*] Everyone has a will to WIN but very few have the will to prepare to WIN
[*] Invest yourself in everything you do, there's fun in being serious

Follow Up

Thank you for the detailed report of your findings. While we investigate and work on any remediation, we would also like to understand if you had any experience notifying or attempting to contact Autodesk prior to posting the information here. If you are open to discussing privately, you may contact us directly at PSIRT@autodesk.com

Thank you for the detailed report of your findings. While we investigate and work on any remediation, we would also like to understand if you had any experience notifying or attempting to contact Autodesk prior to posting the information here. If you are open to discussing privately, you may contact us directly at PSIRT@autodesk.com

[*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
------> become the master!!!
[*] Everyone has a will to WIN but very few have the will to prepare to WIN
[*] Invest yourself in everything you do, there's fun in being serious

Remediation Available and Advisory Posted

I'm happy to report that our product team has remediated the issue you had identified and the updated app is now available for download from the Autodesk app store. We have also posted our security advisory, whcih gives you credit as the finder, to our Trust Center site here: http://www.autodesk.com/trust/securi...sk-sa-2017-001

That's awesome!
Glad to see that Autodesk has fixed the current and few pending vulnerabilities.

Cheers!
b0nd

[*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
------> become the master!!!
[*] Everyone has a will to WIN but very few have the will to prepare to WIN
[*] Invest yourself in everything you do, there's fun in being serious